Providing password-based access to a private S3 bucket with Lambda and CloudFront

Oct 26, 2017

Amazon’s Simple Storage Service doesn’t natively support password-protected
access, however we can use a CloudFront distribution and private ACL to
control access to the bucket and then use Lambda to issue signed cookies after
validating a password.

The lambda function returns the values for several cookies. These aren’t set
by the function itself / API Gateway as it would require setting up a custom
domain name for API Gateway and also using the same domain for the CloudFront
distribution.

The login page sets the cookies using the provided values, and redirects the
user back to the homepage.

Tutorial

Protip: For an easy way to create all of the required infrastructure, I’ve created a Terraform module.

Create a bucket with a private ACL.
The ACL prevents direct access to the bucket.